Re: [PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data

From: Jarkko Sakkinen
Date: Fri Feb 19 2021 - 22:10:08 EST

Next message: Yang Li: "[PATCH v2] xfrm: Fix incorrect types in assignment"
Previous message: Jarkko Sakkinen: "Re: [PATCH 4/9] security: keys: trusted: Store the handle of a loaded key"
In reply to: Matthew Garrett: "[PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data"
Next in thread: Ben Boeckel: "Re: [PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Feb 20, 2021 at 01:32:51AM +0000, Matthew Garrett wrote:
> When TPMs generate keys, they can also generate some information
> describing the state of the PCRs at creation time. This data can then
> later be certified by the TPM, allowing verification of the PCR values.
> This allows us to determine the state of the system at the time a key
> was generated. Add an additional argument to the trusted key creation
> options, allowing the user to provide the set of PCRs that should have
> their values incorporated into the creation data.
>
> Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxx>

LGTM too.

Something popped into mind: could we make PCR 23 reservation dynamic
instead of a config option.

E.g. if the user space uses it, then it's dirty and hibernate will
fail. I really dislike the static compilation time firewall on it.

/Jarkko

Next message: Yang Li: "[PATCH v2] xfrm: Fix incorrect types in assignment"
Previous message: Jarkko Sakkinen: "Re: [PATCH 4/9] security: keys: trusted: Store the handle of a loaded key"
In reply to: Matthew Garrett: "[PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data"
Next in thread: Ben Boeckel: "Re: [PATCH 5/9] security: keys: trusted: Allow storage of PCR values in creation data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]